Apparatus and Method for Generating Physical Unclonable Function (PUF) Based Challenge Response Pair

ABSTRACT

An apparatus and an associated method for generating a PUF-based challenge response pair includes a first PUF device configured to receive input challenge information and generate first response information based on the input challenge information. A pseudorandom number generator is configured to generate, based on the first response information, P random number sequences, where P is a positive integer. A second PUF device is configured to obtain P pieces of second address information based on the P random number sequences, and generate P-bit second response information based on the P pieces of second address information.

CROSS-REFERENCE TO RELATED APPLICATIONS

This is a U.S. continuation of International Patent Application No.PCT/CN2021/097089, filed on May 31, 2021, which claims priority toChinese Patent Application No. 202010545895.2, filed on Jun. 16, 2020.The disclosures of the aforementioned applications are herebyincorporated by reference in their entireties.

TECHNICAL FIELD

This disclosure relates to the field of information security, and inparticular, to an apparatus and a method for generating a physicalunclonable function (PUF)-based challenge response pair.

BACKGROUND

Internet of Things (IoT) is a network that connects connected devices,vehicles, household appliances, and other objects such as embeddedelectronics, software, or sensors. Connectivity enables these objects toconnect to each other and exchange data. At an early stage ofdevelopment of the Internet of Things, a major concern is focused onbasic theory and application research. However, with rapid developmentof the Internet of Things, an information security problem of theInternet of Things is of great concern. In security of the Internet ofThings, key storage and device authentication are two key technologies.Core system security is the basis of security, and is one means forimplementing privacy information protection. Identity authentication isthe most direct defense technology and provides the most advanceddefense for the Internet of Things security.

As a promising hardware security, a physical unclonable function (PUF)is an alternative solution for low-cost key generation and deviceverification. The PUF is a physical entity that generates, by using aphysical structure characteristic of a circuit, an easy-to-evaluate buthard-to-predict key without requiring other expensive hardware. Inaddition, a PUF embedded device is easy to manufacture but hardlyreplicable in practice, even if an exact manufacturing process forproducing the PUF device is mastered. A current PUF can be divided intoa strong PUF and a weak PUF. The weak PUF provides only a small quantityof CRPs (challenge response pairs). The weak PUF can be used as a uniquekey of a conventional encryption system device or as a random seed of aconventional encryption system. However, for some application protocolswith frequent interaction, it is expected that the PUF can provide asmany challenge response pairs as possible. In this case, a quantity ofchallenge response pairs of the PUF cannot meet a strong securityrequirement.

SUMMARY

Embodiments of this disclosure provide an apparatus and a method forgenerating a PUF-based challenge response pair. On one hand, a randomnumber sequence generated by a pseudorandom number generator is used toselect an address for a second PUF module to obtain final outputresponse information, so that a quantity of challenge response pairsincreases and correlation between adjacent response values of the finaloutput response information decreases. On the other hand, responseinformation that is output by a first PUF module is used as a seed valueof the pseudorandom number generator, to ensure unpredictability of therandom number sequence generated by the pseudorandom number generator,thereby increasing unpredictability of the final output responseinformation.

According to a first aspect, this disclosure provides an apparatus forgenerating a PUF-based challenge response pair. The apparatus includes afirst PUF module, a pseudorandom number generator, and a second PUFmodule. The pseudorandom number generator is separately communicativelyconnected to the first PUF module and the second PUF module. The firstPUF module receives input challenge information, and generates firstresponse information based on the input challenge information. The firstPUF module sends, to the pseudorandom number generator, the firstresponse information generated by the first PUF module. The pseudorandomnumber generator uses the received first response information as arandom number sequence generation seed value to generate P random numbersequences, and the pseudorandom number generator sends the generated Prandom number sequences to the second PUF module. The second PUF moduleobtains P pieces of second address information based on the P randomnumber sequences, and generates P-bit second response information basedon the P pieces of second address information, where P is a positiveinteger. The second response information serves as the final outputresponse information. The input challenge information and the secondresponse information constitute a challenge response pair, and a trustedroot for a security key/security authentication is generated based onthe challenge response pair.

In a possible implementation, the pseudorandom number generator uses thefirst response information as the random number sequence generation seedvalue, and the pseudorandom number generator generates P random numbersequences based on the random number sequence generation seed value.

In a possible implementation, the first response information generatedby the first PUF module is M bits, and a random number sequencegenerated by the pseudorandom number generator is M bits, where M is apositive integer greater than or equal to 2.

In another possible implementation, the pseudorandom number generator isa linear feedback shift register.

In another possible implementation, the linear feedback shift registerincludes a shift register and a feedback function.

In another possible implementation, the random number sequence is anM-bit random number sequence, and row information and column informationof an address unit of the second PUF module are determined based on theM-bit random number sequence, where M is a positive integer greater thanor equal to 2.

In an example, a first M1-bit random number sequence in the M-bit randomnumber sequence is used to select a row of the address unit of thesecond PUF module, and a last M2-bit random number sequence in the M-bitrandom number sequence is used to select a column of the address unit ofthe second PUF module, where M=M1+M2, and both M1 and M2 are positiveintegers. For example, when M is 25, the first 20 bits of a 25-bitrandom number sequence are used to select a row of the address unit ofthe second PUF module, and the last 5 bits are used to select a columnof the address unit of the second PUF module. In this way, an addressunit is selected, so that a value stored in the selected address unitcan be further generated.

In another possible implementation, the input challenge information isfirst address information. The first PUF module obtains a start addressunit based on the first address information, determines consecutiveaddress units based on the start address unit, and generates firstresponse information based on the consecutive address units. The firstresponse value is a first number sequence formed by values stored in theconsecutive address units.

It should be explained herein that the consecutive address units areadjacent address units in a row of the address unit of the first PUFmodule. If the first PUF module generates a 25-bit response value, theconsecutive address units are 25 consecutive address units.

That the first PUF module obtains the consecutive address units based onthe start address unit includes: using the start address unit as a firstaddress unit (including the start address unit), to obtain a secondaddress unit adjacent to the first address unit, a third address unitadjacent to the second address unit, . . . , and an n^(th) address unit,where the first address unit, the second address unit, . . . , and then^(th) address unit are consecutive address units obtained based on thestart address unit, and n is a positive integer less than or equal to aquantity of address units of the first PUF module, or, determining a rowof the address unit of the first PUF module based on the start addressunit, and using, as a first address unit, an address spaced from thestart address unit by a address units, to obtain a second address unitadjacent to the first address unit, a third address unit adjacent to thesecond address unit, . . . , and an n^(th) address unit, where n is apositive integer less than or equal to a quantity of address units ofthe first PUF module minus a.

Further, values stored in the consecutive address units are obtained,and that the values constitute the first response value includes: valuesstored in the consecutive address units that are the first address unit,the second address unit, . . . , and the n^(th) address unit, that is, avalue stored in the first address unit is b1, a value stored in thesecond address unit is b2, . . . , and a value stored in the n^(th)address unit is bn. Therefore, the first response value is a numbersequence of b1, b2, . . . , and bn.

In another possible implementation, the second PUF module determines Paddress units based on the P pieces of second address information, andgenerates P-bit second response information based on the P addressunits. The second response information is a P-bit second number sequenceformed by P values stored in address units corresponding to the P piecesof second address information.

That the second response information is a P-bit second number sequenceformed by P values stored in address units corresponding to the P piecesof second address information includes: The second PUF modulesuccessively determines P pieces of address information based onreceived P random number sequences, and selects P address units based onthe P pieces of address information, thereby obtaining P values storedin the P address units, where the P values form a P-bit second responsevalue, and sorting of the P values is determined based on an order ofreceiving the P random number sequences. For example, the second PUFmodule successively receives random number sequences P1, P2, P3, . . . ,and Pn. The second PUF module selects an address unit based on thereceived random number sequence of Pl, where a value stored in theaddress unit is c1. The second PUF module selects an address unit basedon the received random number sequence of P2, where a value stored inthe address unit is c2. The second PUF module selects an address unitbased on the received random number sequence of P3, where a value storedin the address unit is c3. By analogy, the second PUF module selects anaddress unit based on the received random number sequence of Pn, where avalue stored in the address unit is cn. Therefore, the second responsevalue is a number sequence of c1, c2, . . . , and cn.

Optionally, values stored in address units of the first PUF module andthe second PUF module are 0 or 1.

According to a second aspect, this disclosure provides a method forgenerating a PUF-based challenge response pair, including: sending inputchallenge information to a first PUF module, where the first PUF moduleis configured to generate first response information based on the inputchallenge information; sending the first response information to apseudorandom number generator, where the pseudorandom number generatoris configured to generate P random number sequences based on the firstresponse information; and sending the P random number sequences to asecond PUF module, where the second PUF module is configured to obtain Ppieces of second address information based on the P random numbersequences, and generate P-bit second response information based on the Ppieces of second address information, and P is a positive integer.

In another possible implementation, that the pseudorandom numbergenerator generates P random number sequences based on the firstresponse information includes: The pseudorandom number generator usesthe first response information as a random number sequence generationseed value, and the pseudorandom number generator generates P randomnumber sequences based on the random number sequence generation seedvalue.

In another possible implementation, the first response informationgenerated by the first PUF module is M bits, and a random numbersequence generated by the pseudorandom number generator is M bits, whereM is a positive integer greater than or equal to 2.

In another possible implementation, that the second PUF module isconfigured to obtain P pieces of second address information based on theP random number sequences includes: The random number sequence is anM-bit random number sequence, and row information and column informationof an address unit of the second PUF module are determined based on theM-bit random number sequence, where M is a positive integer greater thanor equal to 2.

In an example, that the second PUF module generates P-bit secondresponse information based on the P pieces of second address informationincludes: The second address information is an M-bit random numbersequence, a first M1-bit random number sequence in the M-bit randomnumber sequence is used to select a row of the address unit of thesecond PUF module, and a last M2-bit random number sequence in the M-bitrandom number sequence is used to select a column of the address unit ofthe second PUF module, where M=M1+M2, and both M1 and M2 are positiveintegers.

In another possible implementation, that the sending input challengeinformation to a first PUF module, where the first PUF module isconfigured to generate first response information based on the inputchallenge information includes: The input challenge information is firstaddress information, and the first PUF module obtains a start addressunit based on the first address information, determines consecutiveaddress units based on the start address unit, and generates firstresponse information based on the consecutive address units, where thefirst response value is a first number sequence formed by values storedin the consecutive address units. In another possible implementation,that the second PUF module generates P-bit second response informationbased on the P pieces of second address information includes: The secondPUF module determines P address units based on the P pieces of secondaddress information, and generates P-bit second response informationbased on the P address units, where the second response information is aP-bit second number sequence formed by P values stored in address unitscorresponding to the P pieces of second address information.

This disclosure provides an apparatus and a method for generating aPUF-based challenge response pair. On the one hand, a random numbersequence generated by the pseudorandom number generator is used toselect an address for the second PUF module to obtain final outputresponse information, so that a quantity of challenge response pairsincreases and correlation between adjacent values of the final outputresponse information decreases. On the other hand, response informationthat is output by the first PUF module is used as a seed value of thepseudorandom number generator to ensure unpredictability of the randomnumber sequence generated by the random number generator, therebyincreasing unpredictability of the final output response information.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram of working of a PUF structure;

FIG. 2 is a schematic diagram of a structure of an apparatus forgenerating a challenge response pair of a static random-access memory(SRAM) PUF;

FIG. 3 is a schematic diagram of a structure of an apparatus forgenerating a PUF-based challenge response pair according to anembodiment of this disclosure;

FIG. 4 is a schematic diagram of a structure of an SRAM PUF module 11 ofan apparatus for generating a PUF-based challenge response pairaccording to an embodiment of this disclosure;

FIG. 5 is a schematic diagram of a structure of a random numbergenerator of an apparatus for generating a PUF-based challenge responsepair according to an embodiment of this disclosure;

FIG. 6 is a schematic diagram of a structure of an SRAM PUF module 13 ofan apparatus for generating a PUF-based challenge response pairaccording to an embodiment of this disclosure;

FIG. 7 is a schematic diagram of selecting an address when a randomnumber sequence is 25 bits according to an embodiment of thisdisclosure;

FIG. 8 is a schematic diagram of a structure of an address unit of anSRAM PUF module 11 when a quantity of response bits of the SRAM PUFmodule 11 is 25 bits according to an embodiment of this disclosure; and

FIG. 9 is a schematic diagram of an application scenario of an apparatusfor generating a PUF-based challenge response pair according to anembodiment of this disclosure.

DESCRIPTION OF EMBODIMENTS

The technical solutions of this disclosure are further described indetail with reference to accompanying drawings and embodiments asfollows.

Due to complexity and randomness of a process, a PUF (physicallyunclonable function) structure cannot be replicated to obtain anothercopy from a perspective of engineering practice. As shown in FIG. 1 ,input-output of the PUF has a function mapping relationship (Function).When a user gives an input challenge to the PUF, the PUF device cangenerate an output response, and the output response is random,unpredictable, and cannot be replicated. Such a pair of input-outputrelationships is referred to as a challenge-response pair (CRP). Fromthis perspective, the PUF may be considered as a physical implementationof a mathematical one-way function.

A PUF solution that is currently obtained and that is for large-scaleapplication is basically based on an SRAM structure. Therefore, an SRAMPUF is used as an example to explain an apparatus and a method forgenerating a PUF-based challenge response pair.

FIG. 2 is a schematic diagram of a structure of an apparatus forgenerating a challenge response pair of an SRAM PUF. A structure is asingle-stage SRAM PUF structure. However, the SRAM PUF is a weak PUF,and a quantity of challenge response pairs of the SRAM PUF is relativelysmall. For some application protocols with frequent interaction, it isexpected that the PUF module can provide as many challenge responsepairs as possible. In this case, the quantity of challenge responsepairs of the SRAM PUF cannot meet a requirement.

The apparatus includes a registration mode and a reconstruction mode.The registration mode includes: recording an original challenge responsepair (it should be explained that the original challenge response pairherein is a response value of start address information—consecutiveaddress units), encoding the original challenge response pair togenerate auxiliary data, and storing the auxiliary data in a memory. Thereconstruction mode includes: decoding the auxiliary data to obtain arecorded original challenge response pair, and generating an outputresponse consistent with an output response of the registration when theinput challenge is received.

An exemplary working process is as follows:

After being mapped by an input mapping function, an input parameter cacts on the SRAM PUF module to determine whether auxiliary datacorresponding to a mapped input parameter c exists in the memory. If theauxiliary data does not exist, a response is registered. Otherwise, theresponse is reconstructed. The obtained response passes through anoutput mapping function to obtain a parameter r. The parameterc-parameter r is a challenge response pair.

The foregoing apparatus for generating a challenge response pair of anSRAM PUF maps an input challenge into one piece of start addressinformation through a common mapping function. Values stored inconsecutive address units are used as responses. In this manner, acorrespondence between a challenge and a response is regular, andsecurity of correlation between adjacent address units is also reduced.

An embodiment of this disclosure provides an apparatus for generating aPUF-based challenge response pair. As shown in FIG. 3 , the apparatusincludes: an SRAM PUF module 11 (that is, a first PUF module), apseudorandom number generator 12, and an SRAM PUF module 13 (that is, asecond PUF module). The pseudorandom number generator 12 is separatelycommunicatively connected to the SRAM PUF module 11 and the SRAM PUFmodule 13. An example of a working procedure is as follows:

First, the SRAM PUF module 11 receives input challenge information, andgenerates M-bit first response information based on the input challengeinformation. The SRAM PUF module 11 sends, to the pseudorandom numbergenerator 12, the first response information generated by the SRAM PUFmodule 11.

Then, the pseudorandom number generator 12 uses the received firstresponse information as a random number sequence generation seed valueto generate P M-bit random number sequences, and the pseudorandom numbergenerator 12 sends the generated P M-bit random number sequences to theSRAM PUF module 13.

Finally, the SRAM PUF module 13 uses the received P M-bit random numbersequences as address information of the SRAM PUF module 13. The SRAM PUFmodule 13 generates P-bit second response information based on theaddress information. The second response information is output as finaloutput response information.

Therefore, the input challenge information and the second responseinformation constitute a challenge response pair of the apparatus forgenerating a PUF-based challenge response pair.

The apparatus for generating a PUF-based challenge response pair in thisembodiment of this disclosure uses P random number sequences generatedby the random number generator to select an address for an address unitof the SRAM PUF module. Each random number sequence is used to select avalue stored in an address unit corresponding to the SRAM PUF module. Prandom number sequences are used to select P values, and a P-bitresponse value formed by the P values is a P-bit response value that isfinally output. An output response value of the apparatus for generatinga challenge response pair of the single-stage SRAM PUF structure isformed by values stored in the consecutive address units, and theconsecutive address units are obtained by using start addressinformation obtained by mapping the input challenge through the inputmapping function. For example, a start address unit determines a row ofthe address unit of the SRAM PUF module. The start address unit is usedas a first address unit (including the start address unit). A secondaddress unit adjacent to the first address unit, a third address unitadjacent to the second address unit, . . . , and an n^(th) address unitare obtained, where n is a positive integer less than or equal to aquantity of columns of the address unit of the first PUF module. Whenthe P-bit response value is generated, the SRAM PUF module needs to haveat least P consecutive address units, and then at least a P-bit responseaddress unit is needed. However, the apparatus for generating aPUF-based challenge response pair in this embodiment of this disclosuremay also generate the P-bit response value without requiring the P-bitresponse address unit. Therefore, when a response value of a samequantity of bits is generated, the apparatus for generating a PUF-basedchallenge response pair in this embodiment of this disclosure needs asmaller response address unit.

For example, if a 25-bit response value is generated, a response addressunit of the apparatus for generating a challenge response pair of thesingle-stage SRAM PUF structure needs to have at least 25 consecutiveaddress units. Therefore, a size of the response address unit is atleast 25 bits. According to the apparatus for generating a PUF-basedchallenge response pair in this embodiment of this disclosure, thepseudorandom number generator 12 needs to generate 25 random numbersequences, and select an address for the response address unit togenerate a 25-bit response value. Theoretically, response space onlyneeds to be greater than 1 bit to generate the 25-bit response value.Therefore, when a response value of a same quantity of bits isgenerated, the apparatus for generating a PUF-based challenge responsepair in this embodiment of this disclosure needs a smaller responseaddress unit.

In addition, the SRAM PUF module 13 of the apparatus for generating aPUF-based challenge response pair in this embodiment of this disclosureuses, as address information, a random number sequence generated by thepseudorandom number generator, to select an address to generate responseinformation. This resolves a problem of correlation between adjacentaddress units, and improves security of a challenge response pairgenerated by the entire apparatus.

In addition, response information generated by the physical unclonablefunction (the SRAM PUF module 11) is used as a random number sequencegeneration seed value of the pseudorandom number generator. Because ofan unclonable characteristic of the physical unclonable function, andrandomness and unpredictability of output, security of the random numbersequence generation seed value is ensured.

As shown in FIG. 4 , the SRAM PUF module 11 of the apparatus forgenerating a PUF-based challenge response pair in this embodiment ofthis disclosure includes an encoding module 111, a nonvolatile memory112, and a decoding module 113. The SRAM PUF module 11 includes aregistration mode and a response mode. The registration mode includes:recording original challenge response pair information (that is, aresponse value of start address information—consecutive address units),encoding the information by using the encoding module 111 to generatefirst auxiliary data, and saving the first auxiliary data to thenonvolatile memory 112. The reconstruction mode includes: using thereconstruction mode each time the SRAM PUF module 11 is energized againafter the registration, and using the first auxiliary data and thedecoding module 113 to enable a response obtained each time to beconsistent with a response obtained during the registration. It shouldbe noted that the apparatus for generating a PUF-based challengeresponse pair in this embodiment of this disclosure imposes nolimitation on encoding and decoding methods of the encoding module 111and the decoding module 113, provided that the encoding module canencode the original challenge response pair information to generate thecomputer recognizable first auxiliary data that is easily stored, andthe decoding module can decode the first auxiliary data into theoriginal challenge response pair.

A working process is as follows:

The SRAM PUF module 11 receives first address information (that is,input challenge information), and determines whether auxiliary datacorresponding to the first address information exists in the nonvolatilememory 112. If the auxiliary data does not exist, an M-bit firstresponse value of the consecutive address units that use the firstaddress information as a start address is registered and output by usingthe registration mode. If the auxiliary data exists, an M-bit firstresponse value of the consecutive address units that use the firstaddress information as a start address is output by using thereconstruction mode. The M-bit first response value is the firstresponse information. The first response information is sent to thepseudorandom number generator 12 as the random number sequencegeneration seed value of the pseudorandom number generator 12. Becausethe SRAM PUF module 11 has physical non-clonality, uniqueness, andunpredictability, an unpredictable random number seed may be directlyobtained by using a challenge response pair, thereby ensuring that thepseudorandom number generator 12 generates a secure and reliable randomnumber sequence.

It should be noted herein that the SRAM PUF module 11 may set the inputmapping function, and map the input challenge information into the firstaddress information through the mapping function, or may not set theinput mapping function, and the input challenge information is directlythe first address information.

The pseudorandom number generator 12 of the apparatus for generating aPUF-based challenge response pair in this embodiment of this disclosureuses the first response information as the random number sequencegeneration seed value, and the pseudorandom number generator 12generates P M-bit random number sequences based on the random numbersequence generation seed value.

Further, the pseudorandom number generator 12 is a linear feedback shiftregister (as shown in FIG. 5 ), and includes a shift register and afeedback function. The shift register is a bit sequence, and data isstored in each bit of the bit sequence. Each time new data is generated,data of all bits in the shift register is shifted by one bit to theright, and removed data is output of the shift register. An emptyleftmost bit is used to store the new data. The new data is obtained byperforming calculation on all other bits through the feedback function,where the feedback function is a linear function. In an example, analgorithm feature polynomial of the linear feedback shift register isf(x)=x25+x3+1. A random number sequence generated by the linear feedbackshift register of the apparatus for generating a PUF-based challengeresponse pair in this embodiment of this disclosure has been proved tobe of good randomness. A meaning of pseudorandom is that a same randomnumber sequence is generated only if a seed value is fixed. Therefore,the challenge and the response are in a one-to-one correspondence.

As shown in FIG. 6 , the SRAM PUF module 13 of the apparatus forgenerating a PUF-based challenge response pair in this embodiment ofthis disclosure includes an encoding module 131, a nonvolatile memory132, and a decoding module 133. The SRAM PUF module 13 includes aregistration mode and a response mode. The registration mode includes:recording a random number sequence and response value information,encoding the random number sequence and the response value informationby using the encoding module 131 to generate second auxiliary data, andsaving the second auxiliary data to the nonvolatile memory 132. Thereconstruction mode includes: using the reconstruction mode each timethe SRAM PUF module 13 is energized again after the registration, andusing the second auxiliary data and the decoding module 133 to enable aresponse obtained each time to be consistent with a response obtainedduring the registration.

A working process is as follows:

The SRAM PUF module 13 receives P random number sequences generated bythe pseudorandom number generator, determines whether auxiliary datacorresponding to the random number sequence exists in the nonvolatilememory 132. If the auxiliary data does not exist, a P-bit response valueis registered and output by using the registration mode. If theauxiliary data exists, a P-bit response value is output by using thereconstruction mode. The output P-bit response value may be directlyoutput as final P-bit response information or mapped into final responseinformation through the output mapping function.

The following describes an example of a solution in which the SRAM PUFmodule 13 uses a received M-bit random number sequence as addressinformation to select an address.

The SRAM PUF module 13 determines row information and column informationof the address unit of the SRAM PUF module 13 based on the M-bit randomnumber sequence. Address information of the address unit of the SRAM PUFmodule 13 may be determined and obtained based on the row informationand column information, thereby selecting the address unit.

In an example, the SRAM PUF module 13 uses a first M1-bit random numbersequence in the M-bit random number sequence to select a row of theaddress unit of the SRAM PUF module 13, and uses a last M2-bit randomnumber sequence in the M-bit random number sequence to select a columnof the address unit of the SRAM PUF module 13, where M=M1+M2.

As shown in FIG. 7 , when a random number sequence is 25 bits, the first20 bits of the random number sequence are used to select a row of theaddress unit of the SRAM PUF module 13, and the last 5 bits are used toselect a column of the address unit of the SRAM PUF module 13, that is,an address unit of the SRAM PUF module is selected, so that a valuestored in the address unit can be obtained.

Certainly, the SRAM PUF module 13 determines the row information andcolumn information of the address unit of the second PUF module based onthe M-bit random number sequence. This is not limited to the method inthe foregoing example. Another preset rule may alternatively determinethe row information and column information of the address unit of thesecond PUF module based on the M-bit random number sequence.

It should be explained that values stored in the address units that areof the SRAM PUF module 11 and the SRAM PUF module 13 are 0 or 1. Boththe first response information generated by the SRAM PUF module 11 andthe second response information generated by the SRAM PUF module 13 arenumber sequences formed by 0 and 1.

The apparatus for generating a PUF-based challenge response pair in thisembodiment of this disclosure selects address information of the SRAMPUF module 13 based on P random number sequences generated by thepseudorandom number generator 12. Each random number sequence is used toselect a response value of the address unit of the SRAM PUF module 13.The P random number sequences are used to select values of P addressunits of the SRAM PUF module, and then a P-bit response value is output,where the P-bit response value is final output response information.Compared with response information that is output by the existing PUFstructure, that is, response information is values that are of theconsecutive address units and that are output when an input challenge ismapped into a start address, response information that is output by theapparatus for generating a PUF-based challenge response pair in thisembodiment of this disclosure overcomes correlation between adjacentvalues, so that response information that is finally output is moresecure and reliable.

A quantity of final output response bits of the apparatus for generatinga PUF-based challenge response pair in this embodiment of thisdisclosure mainly depends on a quantity of random number sequencesgenerated by the pseudorandom number generator 12. The P random numbersequences are used to select values of P response address units as aP-bit output response, and an output response generated by the currentPUF structure is values stored in the consecutive address units of thestart address. It can be learned that a quantity of output response bitsof the current PUF structure depends on a size of the response addressunit of the PUF structure. However, a quantity of output response bitsof the apparatus for generating a PUF-based challenge response pair inthis embodiment of this disclosure mainly depends on a quantity ofrandom numbers, and is not limited by the size of the response addressunit. Therefore, when a same quantity of output response bits isgenerated, a response address unit of the apparatus for generating aPUF-based challenge response pair in this embodiment of this disclosureis smaller than a response address unit of the current PUF structure,thereby saving more PUF address unit resources.

For example, assuming that a key length is 256 bits, 225 keys need to begenerated, where the key length depends on a quantity of output responsebits, and a quantity of keys depends on a quantity of challenge responsepairs. An apparatus for generating a challenge response pair of the SRAMPUF of the single-stage SRAM PUF structure needs to meet a responseaddress unit of 256 bits, and a quantity of generated challenge responsepairs is 225. Therefore, SRAM PUF space required by the apparatus is225*256 bits.

A quantity of challenge response pairs of the apparatus for generating aPUF-based challenge response pair in this embodiment of this disclosuredepends on a quantity of random number seeds, that is, depends on aquantity of challenge response pairs of the SRAM PUF module 11. Togenerate 225 keys, the SRAM PUF module 11 needs to generate 225challenge response pairs. To generate the 225 challenge response pairs,response space of the SRAM PUF module 11 needs to be 25 bits (as shownin FIG. 8 ). Therefore, an address unit of the SRAM PUF module 11 is225*25 bits. To generate a key length of 256 bits, a 256-bit outputresponse needs to be generated. To generate the 256-bit output response,the pseudorandom number generator 12 needs to generate 256 random numbersequences. Therefore, the SRAM PUF module 13 only needs to meet 25-bitrandom number sequence address space. The 25-bit random number sequenceis used to select an address for the response address unit of the SRAMPUF module 13. A first 20-bit random number sequence is used to select arow of the response address unit, and the last 5 bits are used to selecta column of the response address unit. Therefore, if the address unit ofthe SRAM PUF module 13 is 220*32 bits, a 256-bit output response can begenerated. If the address unit of the SRAM PUF module 11 is 225*25 bitsand the address unit of the SRAM PUF module 13 is 220*32 bits, 225 keyseach with a length of 256 bits can be generated. Compared with theapparatus for generating a challenge response pair of the SRAM PUF ofthe single-stage SRAM PUF structure, the apparatus for generating aPUF-based challenge response pair in this embodiment of this disclosurerequires only approximately one tenth of resources. Therefore, theapparatus for generating a PUF-based challenge response pair in thisembodiment of this disclosure saves more space on the basis ofgeneration of a same quantity of challenge response pairs.

In addition, a quantity of response bits of the SRAM PUF module, aquantity of random number bits, and a space size of the SRAM PUF module13 can be designed according to a requirement, thereby achieving highersecurity and a larger quantity of keys. For example, if a 35-bit randomnumber is used to select an address for a 1G response PUF, a maximum of2{circumflex over ( )}35 challenge response pairs can be ideallygenerated.

In addition, the apparatus for generating a challenge response pair ofthe SRAM PUF of the single-stage SRAM PUF structure maps a challenge toa specific address through a mathematical function, thereby obtainingvalues stored in a segment of consecutive address units as a response.All chips use a fixed mapping function. As long as the challengeresponse pair is cracked once, an address unit to be addressed can bepredicted by using the challenge, thereby reducing unpredictability ofthe entire module.

The apparatus for generating a PUF-based challenge response pair in thisembodiment of this disclosure performs mapping by using the SRAM PUFmodule 11, to enhance non-replicability of a random source. Thechallenge is mapped into a random number seed based on unpredictabilityof the challenge response pair of the SRAM PUF module 11. The SRAM PUFmodule 11 performs mapping by using different challenge response pairs,so that some challenge response pairs cannot be cracked and therefore amapping relationship cannot be cracked. Even if challenge response pairsof one SRAM PUF module 11 are exhausted, a mapping relationship ofanother SRAM PUF module 11 cannot be obtained.

A response corresponding to a challenge of a solution of the apparatusfor generating a challenge response pair of a single-stage SRAM PUFstructure is values stored in a segment of consecutive address units.However, the apparatus for generating a PUF-based challenge responsepair in this embodiment of this disclosure uses the pseudorandom numbergenerator 12 to generate 256 random number sequences based on a 25-bitresponse (that is, a random number seed) generated by the SRAM PUFmodule 11. The 256 random number sequences are used as address selectiondata to select, as a response, values stored in 256 address units fromthe SRAM PUF module 13. The SRAM PUF module 13 obtains a correspondingrandomly distributed 256-bit response value from the SRAM PUF module 13of 1M words based on the 256 random number sequences. This overcomes adisadvantage that the consecutive address units have correlation, andcan further increase a quantity of challenge response pairs.

The apparatus for generating a PUF-based challenge response pair in thisembodiment of this disclosure may be used for device authentication ofthe Internet of Things or Internet of Vehicles.

As shown in FIG. 9 , the Internet of Things system includes a clientdevice 2 (including a vehicle, a household appliance, and other embeddedelectronics, software, sensors, camera devices and the like) and adatabase end device (a server for storing data). An apparatus 1 forgenerating a PUF-based challenge response pair is disposed on the clientdevice. The client device 2 and the database end device 3 can beinterconnected to perform data transmission only after authenticationsucceeds. The database end device 3 pre-stores all challenge responsepairs of the apparatus 1 for generating a PUF-based challenge responsepair. When authentication needs to be performed, the database end device3 selects a challenge and sends the challenge to the client device 2.The client device 2 obtains, based on the challenge, a correspondingresponse from the apparatus 1 for generating a PUF-based challengeresponse pair, and returns the response to the database end device 3.The database end device 3 compares the obtained response with a locallystored challenge response. If the two responses are consistent, theauthentication succeeds; otherwise, the authentication fails.

The apparatus for generating a PUF-based challenge response pair in thisembodiment of this disclosure may be further applied to key generation.

For example, by using randomness and unpredictability of a challengeresponse pair generated by the apparatus for generating a PUF-basedchallenge response pair, the apparatus for generating a PUF-basedchallenge response pair is challenged to generate several challengeresponse pairs. The challenge response pair generated by the apparatusis taken as a key. When the apparatus for generating a PUF-basedchallenge response pair is powered on, a key is generated, and when theapparatus for generating a PUF-based challenge response pair is poweredoff, the key disappears. Therefore, this key generation method does notneed the pseudo random number generator (PRNG) compared with theconventional technology, and randomness may be provided by the device.In addition, protected nonvolatile storage space is not needed, either.A same key may be regenerated as required based on a device randomfingerprint (a challenge response pair).

A person of ordinary skill in the art may be aware that, in combinationwith the examples described in embodiments disclosed in thisspecification, units and algorithm steps may be implemented byelectronic hardware, computer software, or a combination thereof. Toclearly describe interchangeability between the hardware and thesoftware, the foregoing has generally described compositions and stepsof each example according to functions. Whether the functions areperformed by hardware or software depends on particular applications anddesign constraint conditions of the technical solutions. A person ofordinary skill in the art may use different methods to implement thedescribed functions for each particular application, but it should notbe considered that the implementation goes beyond the scope of thisdisclosure.

Steps of methods or algorithms described in embodiments disclosed inthis specification may be implemented by hardware, a software moduleexecuted by a processor, or a combination thereof. The software modulemay be configured in a random-access memory (RAM), a memory, a read-onlymemory (ROM), an electrically programmable ROM, an electrically erasableprogrammable ROM, a register, a hard disk, a removable disk, a compactdisc read-only memory (CD-ROM), or a storage medium in any other formswell-known in the art.

In the foregoing implementations, the objective, technical solutions,and benefits of this disclosure are further described in detail. Itshould be understood that the foregoing descriptions are merely exampleimplementations of this disclosure, but are not intended to limit theprotection scope of this disclosure. Any modification, equivalentreplacement, or improvement made without departing from the principle ofthis disclosure should fall within the protection scope of thisdisclosure.

1. An apparatus for generating a physical unclonable function(PUF)-based challenge response pair, comprising: a first PUF configuredto: receive input challenge information; and generate, based on theinput challenge information, first response information; a pseudorandomnumber generator configured to generate, based on the first responseinformation, P random number sequences, wherein P is a positive integer;and a second PUF, configured to: obtain, based on the P random numbersequences, P pieces of second address information; and generate, basedon the P pieces of second address information, P-bit second responseinformation.
 2. The apparatus of claim 1, wherein the pseudorandomnumber generator is further configured to: use the first responseinformation as a random number sequence generation seed value; andfurther generate, based on the random number sequence generation seedvalue, the P random number sequences.
 5. The apparatus of claim 1,wherein the first response information is M bits, wherein at least oneof the P random number sequences is M bits, and wherein M is a positiveinteger greater than or equal to
 2. 3. The apparatus of claim 2, whereinthe pseudorandom number generator comprises a linear feedback shiftregister.
 4. The apparatus of claim 3, wherein the linear feedback shiftregister further comprises a shift register and a feedback function. 6.The apparatus of claim 1, wherein the P random number sequences areM-bit random number sequences, wherein row information and columninformation of an address unit of the second PUF module are based on theM-bit random number sequence, and wherein M is a positive integergreater than or equal to two.
 7. The apparatus of claim 1, wherein theinput challenge information comprises first address information, whereinthe first PUF is configured to obtain a start address unit based on thefirst address information, wherein P consecutive address units are basedon the start address unit, wherein the first response information isbased on the P consecutive address units, and wherein the first responseinformation is a first number sequence comprising values stored in the Pconsecutive address units.
 8. The apparatus of claim 7, wherein the Pconsecutive address units are based on the P pieces of second addressinformation, wherein the P-bit second response information is based onthe P consecutive address units, and wherein the P-bit second responseinformation is a P-bit second number sequence comprising formed by Pvalues stored in address units corresponding to the P pieces of secondaddress information.
 9. A method for generating a physical unclonablefunction (PUF)-based challenge response pair, comprising: sending inputchallenge information to a first PUF; generating, by the first PUF,based on the input challenge information, first response information;sending the first response information to a pseudorandom numbergenerator, generating, by the pseudorandom number generator, based onthe first response information, P random number sequences, wherein P isa positive integer; sending the P random number sequences to a secondPUF; obtaining, by the second PUF, based on the P random numbersequences, P pieces of second address information; and generating, bythe second PUF, based on the P pieces of second address information,P-bit second response information.
 10. The method of claim 9, whereinthe pseudorandom number generator generating P random number sequencesfurther comprises: using, by the pseudorandom number generator, thefirst response information as a random number sequence generation seedvalue; and generating, based on the random number sequence generationseed value, P random number sequences.
 11. The method of claim 9,wherein the first response information is M bits, wherein at least oneof the P random number sequences is M bits, and wherein M is a positiveinteger greater than or equal to two.
 12. The method of claim 9, whereinobtaining, by the second PUF, P pieces of second address informationfurther comprises determining an M-bit random number sequence and rowinformation and column information of an address unit of the second PUF,wherein M is a positive integer greater than or equal to two.
 13. Themethod of claim 9, wherein the first PUF generating first responseinformation further comprises: obtaining input challenge informationcomprising first address information; obtaining a start address unitbased on the first address information; determining consecutive addressunits based on the start address unit; generating a first numbersequence comprising values stored in the consecutive address units; andgenerating, based on the first number sequence, the first responseinformation.
 14. The method of claim 9, wherein the second PUF modulegenerates generating P-bit second response information furthercomprises: determining, by the second PUF, based on P pieces of secondaddress information, P address units; and generating a P-bit secondnumber sequence comprising values stored in address units correspondingto the P pieces of second address information; and generating, based onthe P-bit second number sequence, P-bit second response information. 15.A computer program product comprising instructions stored on anon-transitory medium that, when executed by a processor, cause anapparatus to: generate a physical unclonable function (PUF)-basedchallenge response pair by: sending input challenge information to afirst PUF; generating, by the first PUF, based on the input challengeinformation, first response information; sending the first responseinformation to a pseudorandom number generator; generating, by thepseudorandom number generator, based on the first response information,P random number sequences, wherein P is a positive integer; sending theP random number sequences to a second PUF; obtaining, by the second PUF,based on the P random number sequences, P pieces of second addressinformation; and generating, by the second PUF, based on the P pieces ofsecond address information, P-bit second response information.
 16. Thecomputer program product of claim 15, wherein the instructions furthercause the pseudorandom number generator to: generate P random numbersequences using the first response information as a random numbersequence generation seed value; and generate, based on the random numbersequence generation seed value, P random number sequences.
 17. Thecomputer program product of claim 15, wherein the instructions furthercause the first PUF to generate the first response informationcomprising M bits, wherein a random number sequence is M bits, andwherein M is a positive integer greater than or equal to two.
 18. Thecomputer program product of claim 15, wherein the instructions furthercause the second PUF to obtain P pieces of second address information bydetermining an M-bit random number sequence and row information andcolumn information of an address unit of the second PUF, wherein M is apositive integer greater than or equal to two.
 19. The computer programproduct of claim 15, wherein the instructions further cause the firstPUF to: obtain input challenge information comprising first addressinformation; obtain a start address unit based on the first addressinformation; determine consecutive address units based on the startaddress unit; generate a first number sequence comprising values storedin the consecutive address units; and generate, based on the firstnumber sequence, the first response information.
 20. The computerprogram product of claim 15, wherein the instructions further cause thesecond PUF to: determine, based on P pieces of second addressinformation, P address units; generate a P-bit second number sequencecomprising values stored in address units corresponding to the P piecesof second address information; and generate, based on the P-bit secondnumber sequence, P-bit second response information.